Malware Found On Brand-New Windows Netbook

An anonymous reader alerts us to an interesting development that Kaspersky Labs stumbled across. They purchased a new M&A Companion Touch netbook in order to test a new anti-virus product targeted at the netbook segment, and discovered three pieces of malware on the factory-sealed netbook. A little sleuthing turned up the likely infection scenario — at the factory, someone was updating Intel drivers using a USB flash drive that was infected with a variant of the AutoRun worm. "Installed along with the worm was a rootkit and a password stealer that harvests log-in credentials for online games such as World of Warcraft. ... To ensure that a new PC is malware-free, [Kaspersky] recommended that before users connect the machine to the Internet, they install security software, update it by retrieving the latest definition file on another computer, and transferring that update to the new system, then running a full antivirus scan."

Or...

[Kythe]

You could always reformat the darned thing from scratch using a known-good version of whatever OS you're going to be using.

Honestly, ever since Vista became the de-facto OS shipped with new computers, I've been doing that, anyway.

Re:Pffft

[Bigjeff5]

First, the autorun worm was absurdly difficult to remove. The larger the organization the more likely it is to stick around.

Second, have you ever built a corporate or OEM OS image before? Using a usb drive to install drivers is not only likely, it's practical.

The way modern mass-images work is as follows: you have your technician machine, upon which you build the custom tools to incorporate into the image - this would be scripting software packages, customizing settings, etc. Then you have your build machine - this is a clean machine with a fresh OS install on it. You then customize that machine exactly the way you want it, installing custom packages, add all the drivers for all the machines in your product lineup (be sure to include a script to remove the unneeded drivers post-sysprep!), and reseal it to OEM spec with sysprep (which calls any necessary post-build scripts).

Now, you test, test, test, and test to be sure it is good, and mass deploy it to all your hard drives that will be going into all your machines. Much of this does not have to be changed when new models are added, and with MS's newer tools a lot can simply be slipped in to the image itself without having to re-seal it. Very convenient. That also may be how this thing got in as well, who knows.

The breakdown here was on the final step: apparently nobody scanned the test machine for viruses/malware before deploying the image. I'm surprised only a few netbooks were hit, unless the others just haven't noticed yet, heh.